Shellshock

Despite the crush of information and demand for action over the latest bug affecting us, the sky isn’t falling. This isn’t the first, and it won’t be the last. While the shock and magnitude of the problem requires attention, the key is to guide the appropriate response. Ultimately, our ability to detect and respond accordingly must become as much a part of our fabric as the bias for prevention we’re pivoting from.

Describing each new discovery as dire quickly leads to a fatigue of our colleagues to the point where they tune out.

What happens when we really need them to pay attention and take action?

Before firing off an email about “the worst bug ever that affects everyone,” take a few minutes to consider an executive plan of action that generates the appropriate response while still maintaining the security of the organization.

Here are three steps to get started. Done right, these steps inform your ability to plan, decide, and act with confidence.

First, take a moment to understand

When it feels like everyone is calling for action, start with a deep breath. Take a moment to grasp the challenge, the severity, and potential consequences and impacts. The news and analysis will shift. New discoveries and understanding will advance. The context and the consequence typically gets clearer.

At this early stage, focus on gathering the information necessary to understand. More, consider these basic goals:

Get good information to make sure you understand the situation; sometimes this is hard while the initial analysis is happening, mixing hype in with solid insights. Rely on others and share the insights helping you.

Figure out how to explain it to others. This includes multiple audiences -- anyone affected that needs to take action. That likely means the ability to ensure your team shares a common understanding, your colleagues understand, and you are prepared to brief executives.

Consider how your organization operates. Who needs to be involved? What processes and procedures need to be followed? What is the anticipated scale and speed of response needed?

By considering multiple perspectives, you gain time to review the early analysis and recommendations of others. It also means pulling in colleagues and including them in the process. No need to recreate the wheel. This is where we need to find and share good information, explanations, and recommended actions.

Given the likelihood of working with others (and across teams/platforms), the key is consistency and clarity of communication. Make the investment early in the process to overcome the friction in communication that complicates the remediation process.

Keep in mind that everyone is busy. Most are dealing with pressing concerns of their own. Coming to them with another emergency is adding more stress and complexity to their job. Just because we deem this more urgent than their current focus doesn’t mean they agree - or that we’re right.

Instead of shouting louder, consider how to make the case for action-- in the context of the company and business outcomes -- in a way that ensures everyone gets what they need.

Then quickly assess your environment

As with most newly discovered vulnerabilities, different ways of determining risk are coming forth. Manual checks lead to automated scans. Popular tools are updating their capabilities to look for this, too. Check with your vendors to see how they can help.

Conduct whatever inventory and assessment is available to you. It’s the one place where taking some action is generally better than waiting. Focus on understanding the magnitude of the potential risk. Use the assessment to help scale the response and put the entire effort into context for the organization.

Involve others in the process. Leverage their reach and experience to assess the potential range of impacts. When the business and other teams are exposed to the process and given a voice to explain what could go wrong, the conclusion is more accurate and holds more validity with others.

Take time to capture the high-level approach, steps, and resources necessary. Test out the steps and map out the time and effort necessary to provide an estimate of timeline, cost, and impact. Identify potential challenges and complicated elements to address.

Consider detection when prioritizing your response

While news of the bug surfaced this week, it’s possible that attackers have already exploited it. Are you able to detect if someone has compromised a machine using the vulnerability (as opposed to reporting the potential)?

Now that we’ve moved past prevention, the spotlight shines on detection and response. In the event an attacker managed to exploit the bash bug - regardless of when - you need to know. It is essential to detect them as quickly as possible and remediate those machines.

Ultimately, the priority of the response is governed by a blend of vulnerable systems, infected machines, and the policies/processes that dictate testing and patch management. Focus on the most important systems first, and systematically address the balance.

What actions are providing you the best results?

Remember that “slow is smooth, smooth is fast” when considering and coordinating the appropriate response to a broad industry-wide challenge.

Start to finish, forming an executive plan of action might take a few hours, possibly a day or two. Taking the time to work through these three steps reduces the friction in communication that often hampers the response. That leads to a faster remediation.

Where are you finding good insights, information, and tools that are helping you explain the challenge -- and the solution -- to others? Share the links and elements you like in the comments to help others improve their responses.

Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles.